UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

RSA Key Generator

Issue RSA-OAEP 2048 PEM pairs via Web Crypto.

About RSA Key Generator

RSA Key Generator on UtilityKit generates RSA 2048-bit and 4096-bit key pairs in PEM format entirely inside your browser using the Web Crypto API. Click Generate and within seconds you have a PKCS#8 private key and an X.509 SubjectPublicKeyInfo public key, both ready to copy or download as `.pem` files. No server ever sees your private key — generation runs in the browser's sandboxed cryptographic engine. This tool is built for developers who need realistic RSA key pairs for learning public-key cryptography, writing unit tests against JWT libraries, and documenting API authentication flows. It is not a replacement for production key management: real production keys should be generated with `ssh-keygen` or `openssl genrsa` and stored in a secrets manager. Use UtilityKit's RSA generator to understand PEM format, test your code, and learn.

Why use RSA Key Generator

100% Client-Side Generation

RSA key generation runs entirely in the Web Crypto API inside your browser. The private key is never transmitted to UtilityKit's servers or any third party.

2048 and 4096-bit Support

Generate keys at the two most common RSA sizes. 2048-bit is sufficient for most library tests; 4096-bit provides examples of stronger key material for security documentation.

Standard PEM Format

Output follows PKCS#8 (private key) and SubjectPublicKeyInfo (public key) PEM encoding — the format expected by OpenSSL, Node.js `crypto`, Java KeyStore, Python `cryptography`, and most JWT libraries.

Learning and Documentation

See what real RSA PEM files look like, learn the PKCS#8 and SPKI header/footer conventions, and use realistic key pairs in API documentation and architecture diagrams.

Instant Dev Environment Setup

Populate local `.env` files for JWT signing tests, mock SSH authentication flows, or TLS certificate generation exercises without touching OpenSSL on the command line.

No Install Required

Generate valid RSA PEM keys without installing OpenSSL, Node.js, Java Keytool, or any CLI tool — useful in restricted environments or when onboarding developers quickly.

How to use RSA Key Generator

  1. Choose a key size: 2048-bit for standard development use and library compatibility testing, or 4096-bit for examples demonstrating stronger key sizes.
  2. Select the output format: PEM (Base64-encoded DER with header/footer lines) is the universal default. PKCS#8 is used for private keys; SubjectPublicKeyInfo (SPKI) for public keys.
  3. Click Generate Key Pair. The Web Crypto API performs RSA-OAEP key generation in the browser's sandboxed cryptographic engine — this takes one to four seconds for 4096-bit keys.
  4. Review the generated private key (BEGIN PRIVATE KEY) and public key (BEGIN PUBLIC KEY) in their respective output panels.
  5. Copy each key individually using the copy button, or click Download to save `private.pem` and `public.pem` files to your machine.
  6. Use the keys in your development environment: paste into your `.env` file for a JWT library test, feed them to `openssl` for validation, or use them as fixture data in unit tests.

When to use RSA Key Generator

  • When writing unit tests for JWT RS256/RS512 signing and verification and you need a realistic key pair as a test fixture.
  • When documenting an API authentication flow and you need example PEM-formatted keys to include in code samples and README files.
  • When learning public-key cryptography and you want to see the structure of RSA PEM files without running OpenSSL on the command line.
  • When setting up a local development environment for a service that uses RSA encryption and you need keys immediately without installing cryptographic CLI tools.
  • When generating throwaway key pairs for sandbox or mock environments where the actual private key security does not matter.
  • When validating that your RSA key parsing code handles both 2048-bit and 4096-bit keys correctly by testing against generated examples.

Examples

Generate 2048-bit RSA key pair

Input: Key size: 2048-bit, Format: PEM

Output: -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASC...(Base64 DER, ~1700 chars) -----END PRIVATE KEY----- -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...(Base64 DER, ~392 chars) -----END PUBLIC KEY-----

Use private key for JWT RS256 signing (Node.js)

Input: Generated private.pem + payload: { userId: 42, role: 'admin' }

Output: const jwt = require('jsonwebtoken'); const fs = require('fs'); const privateKey = fs.readFileSync('private.pem'); const token = jwt.sign({ userId: 42, role: 'admin' }, privateKey, { algorithm: 'RS256' }); // eyJhbGciOiJSUzI1NiJ9.eyJ1c2VySWQiOjQyLCJyb2xlIjoiYWRtaW4ifQ...

Validate private key with OpenSSL

Input: Downloaded private.pem file

Output: $ openssl rsa -in private.pem -check RSA key ok writing RSA key -----BEGIN PRIVATE KEY----- ...

Tips

  • After downloading a generated private key, immediately verify it with `openssl rsa -in private.pem -check` — a valid key returns 'RSA key ok'. This confirms the PEM was saved without truncation or encoding corruption.
  • Never commit generated private keys to a Git repository, even for test fixtures. Use environment variables or a secrets manager reference instead — git history is permanent and public repositories are searchable.
  • For JWT testing, pair the generated key with a library like `jsonwebtoken` (Node.js) or `python-jose` (Python). Ensure your library accepts PKCS#8 PEM; some older libraries expect the traditional `BEGIN RSA PRIVATE KEY` format, which requires an OpenSSL conversion step.
  • If you need the public key in JWK (JSON Web Key) format for a JWKS endpoint, use `node-jose` or the `jose` library to convert the PEM public key: `jose.JWK.asKey(publicKeyPem, 'pem').then(k => k.toJSON())`.
  • For learning purposes, compare the Base64 body of your PEM with the ASN.1 DER structure using an online ASN.1 decoder (like lapo.it/asn1js). This shows the modulus, public exponent, and private exponent components that make up an RSA key.

Frequently Asked Questions

Is this safe for production secrets?
No. This tool is for learning, development testing, and non-production use only. For production RSA keys — TLS certificates, production JWT signing, SSH server keys — generate them with `openssl genrsa` or `ssh-keygen` on a trusted, air-gapped machine and store them in a hardware security module (HSM) or secrets manager (AWS KMS, HashiCorp Vault). Browser-generated keys should never protect real user data or production systems.
Does the private key ever leave my browser?
No. The entire key generation process runs in the Web Crypto API sandboxed inside your browser. The private key is never sent to UtilityKit's servers. However, you are responsible for what happens after you copy or download the key — treat it with the same care as any sensitive credential.
What is the difference between 2048-bit and 4096-bit RSA?
Both are considered computationally secure today. 2048-bit offers 112 bits of security and is standard for most applications (SSH, TLS, JWT). 4096-bit offers ~140 bits of security and is used when long-lived keys (10+ years) or higher assurance is required — at the cost of slower key generation and signing operations. For dev and test use, 2048-bit is fine.
What is PEM format?
PEM (Privacy-Enhanced Mail) is a Base64-encoded DER structure wrapped in `-----BEGIN TYPE-----` / `-----END TYPE-----` header and footer lines. It is the most common format for sharing RSA keys across OpenSSL, Node.js, Python, Java, and most JWT libraries. The tool outputs PKCS#8 PEM for private keys and SubjectPublicKeyInfo PEM for public keys.
Can I use the generated keys with OpenSSL?
Yes. Paste the private key into a `.pem` file and run `openssl rsa -in private.pem -check` to validate it. You can also convert to other formats: `openssl pkcs8 -in private.pem -out traditional.pem -nocrypt` converts PKCS#8 to the traditional RSA format expected by some older libraries.
Can I use these keys for JWT RS256 signing?
Yes. RS256 JWTs are signed with an RSA private key and verified with the corresponding public key. Paste the generated private key into your JWT library's signing configuration (e.g. `jsonwebtoken` in Node.js) and the public key into your verification configuration. These keys are ideal for local development and unit tests.
Why is 4096-bit key generation slow in the browser?
RSA key generation involves finding large prime numbers — a computationally expensive operation that scales with key size. 4096-bit generation can take two to five seconds even on a modern CPU. This is normal. The Web Crypto API runs the operation in a background thread to avoid freezing the browser tab.
Can I use these keys for SSH authentication?
The private key format (PKCS#8 PEM) is not the default format expected by OpenSSH, which uses its own format. You can convert a PKCS#8 PEM private key to OpenSSH format with: `ssh-keygen -p -m PEM -f private.pem`. However, for real SSH keys, generate them directly with `ssh-keygen` — do not use browser-generated keys for production SSH access.

Explore the category

PGP Encrypt / Decrypt Encrypt, decrypt, generate PGP key pairs, and sign/verify messages in-browser with OpenPGP.js. X.509 Certificate Inspector Decode PEM or DER (base64) X.509 certificates to extract subject, issuer, SANs, validity, key info, and fingerprints. Aspect Ratio Helper Convert width and height pairs into modern aspect-ratio CSS plus legacy padding hacks. SSH Public Key Fingerprint Calculate the MD5 and SHA-256 fingerprints of an SSH public key to verify identity without sharing the full key. JSON Formatter Format, validate and minify JSON Base64 Encode and decode Base64 strings
How PGP Encryption Works: Keys, Trust, and Real-World Use PGP (and OpenPGP) has secured email and files since 1991. We explain key pairs, the web of trust, signing vs encrypting, and where PGP still Mar 2026 · 8 min Public Key Cryptography Explained Simply: Keys, Ciphers, and Signatures The magic behind HTTPS, SSH, and PGP encryption is public key cryptography — a system where you can encrypt a message that only the intended Feb 2026 · 10 min

Glossary

RSA
A public-key cryptosystem based on the computational difficulty of factoring large integers. The key pair consists of a public key for encryption/verification and a private key for decryption/signing.
PEM format
Base64-encoded DER binary data wrapped in `-----BEGIN TYPE-----` / `-----END TYPE-----` ASCII header and footer lines. The standard interchange format for RSA, EC, and certificate key material.
PKCS#8
A standard for private key encoding (RFC 5958) that wraps key material in an algorithm-agnostic container. Indicated by `-----BEGIN PRIVATE KEY-----` in PEM files — distinct from the older `BEGIN RSA PRIVATE KEY` (PKCS#1) format.
SubjectPublicKeyInfo (SPKI)
The X.509 standard structure for encoding public keys, including the algorithm identifier. Indicated by `-----BEGIN PUBLIC KEY-----` in PEM files and used by the Web Crypto API's `exportKey('spki')` method.
Key pair
In asymmetric cryptography, a mathematically linked pair of keys: a public key (shareable) and a private key (secret). Data encrypted with the public key can only be decrypted with the private key, and vice versa.
JWK (JSON Web Key)
A JSON representation of a cryptographic key (RFC 7517), commonly used in JWKS endpoints for OAuth 2.0 and OpenID Connect. RSA PEM keys can be converted to JWK format for use in web authentication flows.